Merge pull request #56 from aws-cloudformation/release-0.7.0

Release 0.7.0

.travis.yml

@@ -1,10 +1,7 @@
 language: rust
 
 script:
-  - cd cfn-guard && cargo build --verbose --all && cargo test --verbose --all
-script:
-  - cd cfn-guard-lambda && cargo build --verbose --all && cargo test --verbose --all
-script:
-  - cd cfn-guard-rulegen && cargo build --verbose --all && cargo test --verbose --all
-script:
-  - cd cfn-guard-rulegen-lambda && cargo build --verbose --all && cargo test --verbose --all
+  - pushd cfn-guard && cargo build --verbose --all && cargo test --verbose --all; popd
+  - pushd cfn-guard-lambda && cargo build --verbose --all && cargo test --verbose --all; popd
+  - pushd cfn-guard-rulegen && cargo build --verbose --all && cargo test --verbose --all; popd
+  - pushd cfn-guard-rulegen-lambda && cargo build --verbose --all && cargo test --verbose --all; popd

NOTICE

@@ -1 +1,2 @@
+CloudFormation Guard
 Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.

README.md

@@ -2,9 +2,11 @@
 
 This repo contains source code for the following tools:
 
-* `CloudFormation Guard` A CLI tool that checks AWS CloudFormation templates for policy compliance using a simple, policy-as-code, declarative syntax 
-* `CloudFormation Guard Lambda` is the AWS Lambda version of `CloudFormation Guard`
-* `CloudFormation Guard Rulegen` automatically generates CloudFormation Guard rules from existing CloudFormation templates
+* `CloudFormation Guard` A CLI tool that 
+	* Checks AWS CloudFormation templates for policy compliance using a simple, policy-as-code, declarative syntax
+	* Can autogenerate rules from existing CloudFormation templates
+* `CloudFormation Guard Lambda` is the AWS Lambda version of CloudFormation Guard's `check` functionality 
+* `CloudFormation Guard Rulegen Lambda` is the AWS Lambda version of CloudFormation Guard's `rulegen` functionality
 
 ## How it works
 
@@ -48,7 +50,7 @@ AWS::EC2::Volume Size <= 100
 You can check the template to ensure that it adheres to the rules.
 
 ```
-$> cfn-guard -t Examples/ebs_volume_template.json -r Examples/ebs_volume_template.ruleset
+$> cfn-guard check -t Examples/ebs_volume_template.json -r Examples/ebs_volume_template.ruleset
 
 [NewVolume2] failed because [Encrypted] is [false] and the permitted value is [true]
 [NewVolume] failed because [Encrypted] is [false] and the permitted value is [true]
@@ -61,7 +63,7 @@ Number of failures: 3
 CloudFormation Guard can be used to evaluate security best practices for infrastructure deployed via CloudFormation. A number of example rules are included:
 
 ```
-$> cfn-guard -t Examples/security_template.json -r Examples/security_rules.ruleset
+$> cfn-guard check -t Examples/security_template.json -r Examples/security_rules.ruleset
    "[AmazonMQBroker] failed because [AutoMinorVersionUpgrade] is [false] and Version upgrades should be enabled to receive security updates"
    "[AmazonMQBroker] failed because [EncryptionOptions.UseAwsOwnedKey] is [true] and CMKs should be used instead of AWS-provided KMS keys"
    "[AmazonMQBroker] failed because [EngineVersion] is [5.15.9] and Broker engine version should be at least 5.15.10"
@@ -71,22 +73,22 @@ $> cfn-guard -t Examples/security_template.json -r Examples/security_rules.rules
 More details on how to write rules and how the tool can work with build systems can be found [here](cfn-guard/README.md).
 
 ### Automatically Generating Rules
-You can also use the `CloudFormation Guard Rulegen` tool to automatically generate rules from known-good CloudFormation templates.
+You can also use the `CloudFormation Guard` tool to automatically generate rules from known-good CloudFormation templates.
 
-Using the same template as above, `cfn-guard-rulegen` would produce:
+Using the same template as above, `cfn-guard rulegen` would produce:
 
 ```
-$> cfn-guard-rulegen Examples/ebs_volume_template.json
+$> cfn-guard rulegen Examples/ebs_volume_template.json
 AWS::EC2::Volume Encrypted == false
 AWS::EC2::Volume Size == 101 |OR| AWS::EC2::Volume Size == 99
 AWS::EC2::Volume AvailabilityZone == us-west-2b |OR| AWS::EC2::Volume AvailabilityZone == us-west-2c 
 ```
 
 From there, you can pipe them into a file and add, edit or remove rules as you need.
 
-### Checking templates using the Lambda
+### Using the tool as an AWS Lambda
 
-Everything that can be checked from the command-line version of the tool can be checked using [the Lambda version](./cfn-guard-lambda/README.md).
+Everything that can be checked from the command-line version of the tool can be checked using [the Lambda version](./cfn-guard-lambda/README.md).  The same is true for the [rulegen functionality](./cfn-guard-rulegen-lambda/README.md).
 
 ## Setting it up
 
@@ -134,7 +136,7 @@ Details on how to build the tools and use them are available in each tool's READ
 
 [CloudFormation Guard Lambda](cfn-guard-lambda/README.md)
 
-[CloudFormation Guard Rulegen](cfn-guard-rulegen/README.md)
+[CloudFormation Guard Rulegen Lambda](cfn-guard-rulegen-lambda/README.md)
 
 ## Using the Makefile
 

cfn-guard-lambda/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "cfn-guard-lambda"
-version = "0.6.0"
+version = "0.7.0"
 edition = "2018"
 
 [dependencies]

cfn-guard-lambda/Makefile

@@ -5,7 +5,7 @@ project_name = cfn-guard-lambda
 role_arn := ${CFN_GUARD_LAMBDA_ROLE_ARN}
 request_payload_fail = '{ "template": "{\n    \"Resources\": {\n        \"NewVolume\" : {\n            \"Type\" : \"AWS::EC2::Volume\",\n            \"Properties\" : {\n                \"Size\" : 100,\n                \"Encrypted\": true,\n                \"AvailabilityZone\" : \"us-east-1b\"\n            }\n        },\n        \"NewVolume2\" : {\n            \"Type\" : \"AWS::EC2::Volume\",\n            \"Properties\" : {\n                \"Size\" : 99,\n                \"Encrypted\": true,\n                \"AvailabilityZone\" : \"us-east-1b\"\n            }\n        } }\n}",\
                      "ruleSet": "let require_encryption = true\nlet disallowed_azs = [us-east-1a,us-east-1b,us-east-1c]\n\nAWS::EC2::Volume AvailabilityZone NOT_IN %disallowed_azs\nAWS::EC2::Volume Encrypted != %require_encryption\nAWS::EC2::Volume Size == 101 |OR| AWS::EC2::Volume Size == 99\nAWS::IAM::Role AssumeRolePolicyDocument.Version == 2012-10-18\nAWS::EC2::Volume Lorem == true\nAWS::EC2::Volume Encrypted == %ipsum\nAWS::EC2::Volume AvailabilityZone != /us-east-.*/",\
-                      "strict_checks": true}'
+                      "strictChecks": true}'
 
 #======================================================================
 # Request Payload Fail:
@@ -49,7 +49,7 @@ request_payload_fail = '{ "template": "{\n    \"Resources\": {\n        \"NewVol
 
 request_payload_pass = '{ "template": "{\n    \"Resources\": {\n        \"NewVolume\" : {\n            \"Type\" : \"AWS::EC2::Volume\",\n            \"Properties\" : {\n                \"Size\" : 100,\n                \"Encrypted\": true,\n                \"AvailabilityZone\" : \"us-east-1b\"\n            }\n        },\n        \"NewVolume2\" : {\n            \"Type\" : \"AWS::EC2::Volume\",\n            \"Properties\" : {\n                \"Size\" : 99,\n                \"Encrypted\": true,\n                \"AvailabilityZone\" : \"us-east-1b\"\n            }\n        } }\n}",\
                      "ruleSet": "let require_encryption = true",\
-                      "strict_checks": true}'
+                      "strictChecks": true}'
 
 #======================================================================
 # Request Payload Pass
@@ -83,7 +83,7 @@ request_payload_pass = '{ "template": "{\n    \"Resources\": {\n        \"NewVol
 
 request_payload_err = '{ "template": "{\n    \"Resources\": \n        \"NewVolume\" : {\n            \"Type\" : \"AWS::EC2::Volume\",\n            \"Properties\" : {\n                \"Size\" : 100,\n                \"Encrypted\": true,\n                \"AvailabilityZone\" : \"us-east-1b\"\n            }\n        },\n        \"NewVolume2\" : {\n            \"Type\" : \"AWS::EC2::Volume\",\n            \"Properties\" : {\n                \"Size\" : 99,\n                \"Encrypted\": true,\n                \"AvailabilityZone\" : \"us-east-1b\"\n            }\n        } }\n}",\
                      "ruleSet": "let require_encryption = true",\
-                      "strict_checks": true}'
+                      "strictChecks": true}'
 
 #======================================================================
 # Request Payload Fail